ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

zScaler VPN connections report regular "internal error" when SEP for Mac firewall is enabled

book

Article ID: 187967

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

zScaler VPN connections report regular "internal error" when SEP for Mac firewall is enabled—even when firewall is set to allow all network traffic. 

zScaler typically displays "Internal Error" every few minutes with a "Retry" button.

Cause

Under investigation.

Environment

Component : SEP for Mac

Release : all versions up to 14.3

Resolution

If you are troubleshooting SEP for Mac firewall rules, an "Allow All" rule at the top the settings might not work at first. Try instead to use an "Allow All" rule that explicitly allows a range of remote IP addresses, IPv4 0.0.0.1 thru 255.255.255.255 and IPv6 0000:0000:0000:0000:0000:0000:0000:0000 thru FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

If this works, then consult your VPN documentation for the exact ports and network ranges used, and refine your "Allow VPN" rule.

Examine output of "ifconfig" command line on a Mac client, and look for "utun" interfaces which are used by VPN software. For example:

...
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
 inet 100.64.0.1 --> 100.64.0.1 netmask 0xffff0000
...

Allowing remote IP range 100.64.0.1–100.64.255.254 for the example above would allow the remote IPs used by VPN on this interface.

Consult your zScaler configuration and support pages for specific ports used by the software and add those ports to the rule to make it more selective.